SANS ISC InfoSec Forums

Malware authors will often hide strings (like URLs) or even a full payload as property values of VBA forms. The stream that contains this information can be easily recognized with oledump.py, the name ends with /o:

I was given a sample (MD5 1b0fbd5e0af361058a8115b941232e34) where such a stream is particularly large. Looking into the stream (index 15), we see an hexadecimal string starting with 4d5a. That's MZ in ASCII, and most likely a Windows executable.

Sometimes analyzing malicious documents can be rather easy: without looking at the VBA macro code of this sample, you can quickly find the embedded payload. This embedded payload can be easily extracted with base64dump.py: